be8ffc0c91b5e447946d1892d0119251f0b514dbd490045d402dc9e1e2fed2a0

Analysis

max time kernel
142s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

464411f0c7db8b5f8eec494db82f3d4f.exe
Size

1000KB
MD5

464411f0c7db8b5f8eec494db82f3d4f
SHA1

6ec326eb141c267b28ea263d619c0f58e509e16a
SHA256

be8ffc0c91b5e447946d1892d0119251f0b514dbd490045d402dc9e1e2fed2a0
SHA512

bce62c9c3b4c4959bec88e18f7b46d10847d1e073cdfa74d11a2fa6c07fa5180f5d49103f1f1f8787f83e06348270fca153fcd7c59cb80be3235fbb5f5f48bb1
SSDEEP

12288:sxcDxsHNiBnHTvB0EOvrehS1VECaBwQ2tb5JLrnylUPqt0gHDS7eyod:DmHynHjB0EmrehS81B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3612	464411f0c7db8b5f8eec494db82f3d4f.exe

Executes dropped EXE 1 IoCs

pid	Process
3612	464411f0c7db8b5f8eec494db82f3d4f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3612	464411f0c7db8b5f8eec494db82f3d4f.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3612	464411f0c7db8b5f8eec494db82f3d4f.exe
3612	464411f0c7db8b5f8eec494db82f3d4f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4588	464411f0c7db8b5f8eec494db82f3d4f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4588	464411f0c7db8b5f8eec494db82f3d4f.exe
3612	464411f0c7db8b5f8eec494db82f3d4f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 3612	4588	464411f0c7db8b5f8eec494db82f3d4f.exe	93
PID 4588 wrote to memory of 3612	4588	464411f0c7db8b5f8eec494db82f3d4f.exe	93
PID 4588 wrote to memory of 3612	4588	464411f0c7db8b5f8eec494db82f3d4f.exe	93
PID 3612 wrote to memory of 2912	3612	464411f0c7db8b5f8eec494db82f3d4f.exe	95
PID 3612 wrote to memory of 2912	3612	464411f0c7db8b5f8eec494db82f3d4f.exe	95
PID 3612 wrote to memory of 2912	3612	464411f0c7db8b5f8eec494db82f3d4f.exe	95

C:\Users\Admin\AppData\Local\Temp\464411f0c7db8b5f8eec494db82f3d4f.exe
"C:\Users\Admin\AppData\Local\Temp\464411f0c7db8b5f8eec494db82f3d4f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\464411f0c7db8b5f8eec494db82f3d4f.exe
  C:\Users\Admin\AppData\Local\Temp\464411f0c7db8b5f8eec494db82f3d4f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\464411f0c7db8b5f8eec494db82f3d4f.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\464411f0c7db8b5f8eec494db82f3d4f.exe

Filesize
1000KB

MD5
4f444067bf840fe1158294c085ee1b5d

SHA1
08d1dd0d1f9f74488035f6af0c6be9783cd399b3

SHA256
53d872554f943000d920ec8128c32b110207bcedeaa2a76dea75ef8f866add3f

SHA512
c31794da27e79564f4b3ac873c421062e625ea5230b0f448d18d66572c850b0d3755d4ac04bff7b4de10ea23f3353694f90bda87dce17fde6d7ba781a4dd6355

Download Submit
memory/3612-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3612-15-0x0000000000170000-0x00000000001F3000-memory.dmp

Filesize
524KB

Download
memory/3612-20-0x0000000004F20000-0x0000000004F9E000-memory.dmp

Filesize
504KB

Download
memory/3612-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3612-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4588-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4588-1-0x0000000001660000-0x00000000016E3000-memory.dmp

Filesize
524KB

Download
memory/4588-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4588-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download